Manual Chapter : Using APM as a Proxy with Workspace One

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1
Manual Chapter

Using APM as a Proxy with Workspace One

Overview: Using APM as a proxy with Workspace One

This implementation describes how to set up Workspace One Cloud as an Identity Provider (IDP) in front of F5 Access Policy Manager (APM) as a Service Provider (SP) using APM as a gateway for VMware Horizon. The configuration creates the single pane of glass that Workspace One/Identity Manager provides with the DMZ security and scalability that F5 PCoIP/Blast Proxy brings with VMware Horizon.

About Workspace One Cloud

Workspace One and VMware Identity Manager combine applications and desktops into a single, aggregated workspace. Employees can then access the desktops and applications regardless of where they are based.

Workspace One Cloud deployment

Instead of being deployed on-premise within a datacenter, Workspace One Cloud is deployed in the cloud. Organizations can centralize assets, devices, and applications, and manage users and data securely. The system also gains access to upgrades in real-time preventing maintenance outages during upgrades.

Workspace One Cloud workflow

Together, VMware and F5 integrate additional layers of security and provide gateway access using Workspace One Cloud and Identity Manager.

About VMware Identity Manager on-premise

VMware Identity Manager combines applications and desktops in a single, aggregated workspace. Employees can then access the desktops and applications regardless of where they are based. With fewer management points and flexible access, Identity Manager reduces the complexity of IT administration.

VMware Identity Manager deployment

Identity Manager is delivered as a virtual appliance that is easy to deploy onsite and integrate with existing enterprise services or can be deployed on a Windows platform. Organizations can centralize assets, devices, and applications and manage users and data securely behind the firewall. Users can share and collaborate with external partners and customers securely when policy allows.

VMware Identity Manager workflow

F5 and VMware have developed an integration to add additional layers of security and provide gateway access with VMware Identity Manager.

Prerequisites for using Workspace One with APM

The following prerequisites must be completed before proceeding with the APM and Workspace One configuration. For additional information on BIG-IP system tasks, refer to the BIG-IP documentation on support.f5.com.

  • Create and import an SSL certificate that contains the load-balanced FQDN to use for Identity Manager Portal. (VIDM deployments only)
  • Upload the following to the BIG-IP system: (VIDM deployments only).
    • SSL certificate
    • Private Key for the load-balanced FQDN certificate
    • Primary CA or Root CA for the SSL certificate you uploaded to the BIG-IP system
      Note: The Primary or Root CA for the FQDN certificate is also uploaded to the BIG-IP system and must be loaded onto each Identity Manager appliance.
  • Deploy and configure Workspace One and VMware Identity Manager.
    • For VMware Identity Manager, configure a (3-Node) behind a LTM FQDN VIP on the BIG-IP system and set up VIDM in the domain and Horizon environment.
    • For Workspace One Cloud, set up the environment with connectors to the domain and Horizon environment.
  • Set up and configure VMware Horizon behind an APM VIP on the BIG-IP system (the VIP can be deployed using the iAPP).
Note: VMware recommends using certificates that support Subject Alternate Names (SANs) defining each of the node FQDNs (public or internal) within the load-balanced VIP FQDN.

Although you can use wildcard certificates, due to wildcard certificate formats, SAN support is not typically available with wildcards from public CAs; public CAs may complain about supplying an internal FQDN as a SAN value even if they do support SAN values. Additionally, some VMware Identity Manager features may not be available with wildcard certificates when SAN support is not defined.

For additional details on VIDM LTM configuration, refer to the F5 integration guide Load Balancing VMware Identity Manager located at https://f5.com/Portals/1/PDF/Partners/f5-big-ip-vmware-workspaceone-integration-guide.pdf.

For additional details on Horizon APM configuration, refer to the F5 Deployment guide Deploying F5 with VMware View and Horizon View located at https://www.f5.com/pdf/deployment-guides/vmware-horizon-view-dg.pdf.

vIDM LTM configuration

Refer to the screen shots to confirm that the prerequisites for vIDM LTM configuration have been completed.

Virtual server list

Virtual server configuration

Virtual server resources

For additional details on vIDM LTM configuration, refer to the F5 integration guide Load Balancing VMware Identity Manager located at https://f5.com/Portals/1/PDF/Partners/f5-big-ip-vmware-workspaceone-integration-guide.pdf.

Horizon APM configuration

Refer to the screen shots to confirm that the prerequisites for Horizon APM configuration have been completed.

Application Service list

Virtual server list for Horizon

For additional details on Horizon APM configuration, refer to the F5 Deployment guide Deploying F5 with VMware View and Horizon View located at https://www.f5.com/pdf/deployment-guides/vmware-horizon-view-dg.pdf.

vIDM/WS1 configuration: Enabling JWT

You need to be sure that either the Workspace One Cloud is deployed and set up with connectors, and that VMware Horizon and/or the VIDM environment is set up behind the load balancer and configured for VMware Horizon.
You start by configuring the vIDM/WS1 environment to work with Access Policy Manager (APM).
  1. In a browser, log in as an Admin to the VIDM/WS1 FQDN (in this example, https://myws1-onprem.bd.f5.com).
  2. From the Catalog menu, select Virtual Apps Collection.
  3. Click Virtual App Configuration.
  4. Check that a Horizon environment is set up and configured for the integration.
  5. From the Catalog menu, select Virtual Apps Collection.
  6. Click Virtual App Settings.
  7. Click the Network Settings tab, and select All Ranges.
  8. In the All Ranges Network Setting:
    1. Select Wrap Artifact in JWT on the Horizon Environment that was previously configured.
    2. Click the + under Audience in JWT next to the checkbox and type a unique name (for example, f5cpa).
      Save this name. You will need it when creating OAUTH resources.
    3. Click Save.
When completed, vIDM/WS1 is set up.
Next, you can configure the required Access Policy Manager settings.

Disabling strict updates on APM

On the BIG-IP system, you need to disable strict updates in the Horizon APM iApp.
  1. Log on to the BIG-IP system.
  2. On the Main tab, click iApps > Application Service .
    The Application Service List opens.
  3. Select the iApp deployed for the Horizon APM configuration.
    The iApp opens showing the properties.
  4. On the Properties tab, by Application Service, select Advanced.
  5. Clear the Strict Updates check box.
  6. Click Update.
The Horizon APM configuration iApp is updated.

Creating OAUTH Resources

On the BIG-IP system, you need to create OAUTH resources.
  1. On the Main tab, click Access > Federation > OAuth Client / Resource Server > Provider
    The Provider list screen opens.
  2. Click Create.
    A new provider is created.
  3. For Name, type a unique name.
  4. For Type, select Custom.
  5. In the OpenID URI field, type the following (replacing <MyVIDMFQDN> with the name you used).
    https://<MyVIDMFQDN>/SAAS/auth/.well-known/openid-configuration
  6. Click Discover.
    During the discovery process, an In Progress... message displays. If the discovery is successful, some of the previously empty areas are populated with data, and additional boxes appear.

  7. Click Save to complete the Provider configuration.
  8. On the Main tab, click Access > Federation > JSON Web Token > Token Configuration .
    You see the token that was automatically created during the discovery process. Make sure that it contains the correct vIDM FQDN in the Issuer column.

  9. Click the name of the automatically created token.
  10. Add the audience to the token:
    1. In the Audience field, type the name of the audience (created previously in the vIDM/WS1 configuration: Enabling JWT section), and click Add.
    2. Click Save.
  11. On the Main tab, click Access > Federation > JSON Web Token > Provider List .
    The Provider List opens.
  12. Click Create.
    A new JSON Web Token Provider is created.

  13. For Name, type a unique name.
  14. From Provider, select the OAUTH Client / Resource Server Provider previously created, and click Add.
Next, you can modify the Horizon APM access policy.

Modifying the Horizon access policy

You need to have previously created a Horizon access policy as part of the prerequisites.
You need to modify the Horizon access policy.
  1. On the Main tab, click Access > Profiles / Polices > Access Profiles (Per Session Policies) .
  2. In the Horizon APM access policy (previously created), click Edit in the Per-Session Policy column.
    The access policy opens in the Visual Policy Editor. It shows a typical Horizon iApp deployment.

  3. Remove all of the policy items except Client Type, View Client Resource Assign, and Browser Assign.
    1. To delete the other items, click the X within the box (usually top right corner).
      A confirmation dialog appears.

    2. Keep the default option Connect previous node to fallback branch selected.
    3. Click Delete.
    The resulting access policy should look like this.

  4. Click the + between the VMware View Client Type and View Client Resource Assign to create an item between the two.
  5. On the Authentication tab, select OAUTH Scope, and click Add Item.
  6. Define the OAUTH Scope:
    1. Type a unique name (because the View Client Path specifies View Client OAuth Scope).
    2. From the Token Validation Mode list, select Internal.
    3. From the JWT Provider List, select the JWT Provider previously created.
    4. Click Save.
    The updated access policy should look like this.

  7. Click the + next to Successful between View Client OAuth Scope and View Client Resource Assign to create an item between the two.
  8. On the Assignment tab, select Variable Assign, and click Add Item.
  9. Define the Variable Assign:
    1. Type a unique name (because the View Client Path specifies View Client Variable).
    2. Click Add new entry.
    3. Click the change link on line 1.
    4. On the left, type session.logon.last.username.
    5. On the right, type session.oauth.scope.last.jwt.upn.
    6. Click Finished.
  10. Click Save.
    The updated access policy should look like this.

  11. Between Client Type and Browser Resource Assign, click the + next to Full or Mobile Browser to create an item.
  12. On the Authentication tab, select OAUTH Scope, and click Add Item.
  13. Define the OAUTH Scope:
    1. Type a unique name (because the View Client Path specifies View Client OAuth Scope).
    2. From the Token Validation Mode list, select Internal.
    3. From the JWT Provider List, select the JWT Provider previously created.
    4. Click Save.
    The updated access policy should look like this.

  14. Click the + between Browser OAuth Scope and Browser Resource Assign in the Successful line to create an object between the two.
  15. Select Variable Assign from the Assignment tab, and click Add Item.
  16. Define the Variable Assign:
    1. Type a unique name (because the Browser Path specifies Browser Variable Assign).
    2. Click Add new entry.
    3. Click the change link on line 1.
    4. On the left, type session.logon.last.username.
    5. On the right, type session.oauth.scope.last.jwt.upn.
    6. Click Finished.
  17. Click Save.
    The updated access policy should look like this.

  18. In the top left of the screen, click Apply Access Policy to save all changes and apply them.

vIDM/WS1 configuration: Verifying JWT tokens

It is a good idea to validate that a JWT token is being created and sent to the appropriate site. You perform the validation using the Google Chrome web browser.
  1. From the vIDM/WS1 portal (opened using Chrome), log in as a user with access to the Horizon resources.
  2. In the upper-right of the browser, click the three dots then More Tools > Developer Tools .
    The Developer Tools Console opens.
  3. In the Developer Console, select Network.
  4. In the catalog section of the Workspace One Portal, select an application or desktop and click Open for the application or desktop that triggers the event to launch either the HTML5 or Native Client.
    In the Developer Console, an item typically named Workspace-****** appears.

  5. Select the object you just created (Workspace-***<GUID>***).
    Note: The URL/URI string includes the FQDN of the Horizon environment.
    1. In the Preview tab of the Developer Console, expand Response:.
    2. Expand launchURLs:.
    3. Expand both the 0: and 1: sections to reveal the launch URLs.
  6. Review the launch URL strings field called SAMLart=.
    • If the line specifies SAMLart=JWT:, then VMware Identity Manger is wrapping the JWT token within the SAML artifact field for F5 to decrypt.
    • If the SAMLart= field does not contain JWT:, then the Horizon Environment that you are trying to access is not configured for JWT wrapping.

Troubleshooting Workspace One integration

If you see the following error or a similar one, check the DNS settings on your vIDM servers. Make sure they point to the LTM VIP not the APM VIP or you may receive an error.